1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised.

The project set out to protect the vulnerable webgoat application without touching a line of code. Facing an unstable (and partially buggy) Webgoat version the project leader and sole contributor had to find a pragmatic approach to deal with this issue. On top of that it quickly turned out, that expermiental features of ModSecurity had to be used.

Stephen Evans managed to cope with these troubles and actually continued in a systematic and well documented way. This is crucial for this project as it will be used by new and intermediate users of ModSecurity in the future as a case study for their own work.

There are still a few challenges ahead, but looking at the results so far, Stephen is well set to tackle those as well. The rules speak for themselves: they are of a very high quality in my eyes.

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage.

Well over 50%. Including some tricky lessons.

3. Please do use the right hand side column to provide advice and make work suggestions.

Background:
- Embedded or as Reverse Proxy? Not quite clear what you mean.
- I guess you mean within the application server or within an Apache RP.
- Webgoat should be introduced too in this paragraph.